Policy 635: Network and System Access defined the responsibilities for authorizing, administering, and auditing access to state information systems.
Standard 635S1: Privileged Account Management defines the requirements for the granting and management of privileged user accounts – accounts providing increased access, such as network, system, or security administrator accounts, and therefore requiring additional authorization and more controlled management.
Risks that are addressed in the standard:
The Principle of Least Privilege is the practice of limiting access rights for users to the bare minimum permissions needed to perform their work. Users should use privileged accounts to perform privileged functions (like creating a new user account in the Active Directory domain) and non-privileged accounts to perform more basic functions (like browsing a website).
Policy 635 addresses NIST SP 800-53 security controls AC-1, AC-2. AC-3, AC-5, AC-6, and AC-8.
Standard 635S1 addresses NIST SP 800-53 security controls:
- AC-6: Least Privilege
- AC-17 (CE4): Remote Access Privileged Commands / Access
- AU-9 (CE4): Access by Subset of Privileged Users
View or Download: